Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Add image hash support #121

Merged
merged 9 commits into from
Jun 26, 2023
Merged

Feature: Add image hash support #121

merged 9 commits into from
Jun 26, 2023

Conversation

eeriedusk
Copy link
Contributor

@eeriedusk eeriedusk commented Apr 24, 2023
edited
Loading

This pull request adds the feature to calculate an event image hash through a new LinuxHelper LinuxGetFileHash.

It allows to configure SHA1, MD5 and/or SHA256 through the HashAlgorithms configuration tag and depends on OpenSSL::Crypto (libssl-dev/openssl-devel). OpenSSL being here an easy solution, it's also possible to replace it by standard headers in case of any licensing difficulties.

As the N_Hash field is handled by eventsCommon.cpp in the SysmonCommon submodule, this pull request fully depends and is directly linked to another PR on the SysmonCommon repository.

@MarioHewardt
Copy link
Collaborator

FYI - The "checks" are failing as a result of our build systems not including the new OpenSSL requirements which results in a build break. I'll have to take a look at the licensing requirements but assuming that is all ok, I'll update our build systems to include OpenSSL.

@eeriedusk
Copy link
Contributor Author

@MarioHewardt Any update on this request?

@MarioHewardt
Copy link
Collaborator

Sorry for the delay (I was out of the office for a bit). I will take a look hopefully by mid next week.

MarioHewardt
MarioHewardt reviewed Jun 15, 2023
View reviewed changes
MarioHewardt
MarioHewardt reviewed Jun 15, 2023
View reviewed changes
MarioHewardt
MarioHewardt reviewed Jun 15, 2023
View reviewed changes
@MarioHewardt
Copy link
Collaborator

@eeriedusk We should also add openssl as a dependency to the control.in file.

@eeriedusk
Copy link
Contributor Author

@MarioHewardt I moved the hash flag handling from linuxHelpers.cpp to sysmonforlinux.c, handleEvent can now call processProcessCreate to set m_HashType. I also double check stringBuffer[256] for overflow even though it shouldn't happen. I guess the checks failed because of the SysmonCommon dependency 😕

@eeriedusk
Copy link
Contributor Author

I forced OPT_VALUE( HashAlgorithms ) in a unsigned int *hashTypePtr variable to avoid the Dereference of null pointer.
It seems like the other warnings were already occuring on previous SysmonForLinux versions (tested on the main branch
e790b90014595744777b4d7a77804407a008eb1e and the 1.2.0.0 release).

@MarioHewardt
Copy link
Collaborator

I've approved both PR's. Please merge the SysmonCommon one first and then update this PR with the latest SysmonCommon submodule commit.

@eeriedusk
Copy link
Contributor Author

You will have to merge the SysmonCommon PR as I don't have the write access on both repositories

@MarioHewardt
Copy link
Collaborator

SysmonCommon has been merged.

@MarioHewardt MarioHewardt merged commit 571692c into microsoft:main Jun 26, 2023
@MarioHewardt
Copy link
Collaborator

@eeriedusk Thanks much for the work on this!

@eeriedusk eeriedusk deleted the feature/image-hash-support branch June 27, 2023 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarioHewardt MarioHewardt MarioHewardt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eeriedusk @MarioHewardt